File name:

douyin-downloader-v3.2.0-win32-ia32-default.exe

Full analysis: https://app.any.run/tasks/edffc517-d903-4fde-b038-8a5ab5fe4774
Verdict: Malicious activity
Analysis date: May 28, 2024, 17:59:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

C9F648B4232628240DA0928245642CBE

SHA1:

473075AEE806293AA5D404CA345F88C5C8973890

SHA256:

A6F018539336570425955B25EBDCA6F31462E1D5F5C354F627BAA9E1D1C5A4A0

SSDEEP:

98304:7+kcGsrPaMcCc9CVWpYFe+4kUe5+RMKj5fEnO4bPOOnc2C7yPAdv2AdC694KIaPC:Xk2uDpT7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)

    • Executable content was dropped or overwritten

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)

    • Adds/modifies Windows certificates

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)

    • Reads settings of System Certificates

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)

  • INFO

    • Checks supported languages

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)
      • wmpnscfg.exe (PID: 1116)

    • Reads the computer name

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)
      • wmpnscfg.exe (PID: 1116)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1116)

    • Create files in a temporary directory

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)

    • Reads the machine GUID from the registry

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)

    • Reads the software policy settings

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)

    • Creates files or folders in the user directory

      • douyin-downloader-v3.2.0-win32-ia32-default.exe (PID: 4092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:14+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 473088
UninitializedDataSize: 16384
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.2.0.12743
ProductVersionNumber: 3.2.0.12743
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Beijing Microlive Vision Technology Co., Ltd.
FileDescription: 【抖音】记录美好生活
FileVersion: 3.2.0.12743
LegalCopyright: Copyright © 2023 Beijing Microlive Vision Technology Co., Ltd.
ProductName: douyin
ProductVersion: 3.2.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start douyin-downloader-v3.2.0-win32-ia32-default.exe wmpnscfg.exe no specs douyin-downloader-v3.2.0-win32-ia32-default.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1116"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3980"C:\Users\admin\AppData\Local\Temp\douyin-downloader-v3.2.0-win32-ia32-default.exe" C:\Users\admin\AppData\Local\Temp\douyin-downloader-v3.2.0-win32-ia32-default.exeexplorer.exe
User:
admin
Company:
Beijing Microlive Vision Technology Co., Ltd.
Integrity Level:
MEDIUM
Description:
【抖音】记录美好生活
Exit code:
3221226540
Version:
3.2.0.12743
Modules
Images
c:\users\admin\appdata\local\temp\douyin-downloader-v3.2.0-win32-ia32-default.exe
c:\windows\system32\ntdll.dll
4092"C:\Users\admin\AppData\Local\Temp\douyin-downloader-v3.2.0-win32-ia32-default.exe" C:\Users\admin\AppData\Local\Temp\douyin-downloader-v3.2.0-win32-ia32-default.exe
explorer.exe
User:
admin
Company:
Beijing Microlive Vision Technology Co., Ltd.
Integrity Level:
HIGH
Description:
【抖音】记录美好生活
Version:
3.2.0.12743
Modules
Images
c:\users\admin\appdata\local\temp\douyin-downloader-v3.2.0-win32-ia32-default.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
5 469
Read events
5 441
Write events
23
Delete events
5

Modification events

(PID) Process:(4092) douyin-downloader-v3.2.0-win32-ia32-default.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\ByteDance\douyin
Operation:writeName:InstallPersetDir
Value:
C:\Program Files\ByteDance\douyin
(PID) Process:(4092) douyin-downloader-v3.2.0-win32-ia32-default.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\ByteDance\douyin
Operation:writeName:PersetAutoStart
Value:
1
(PID) Process:(4092) douyin-downloader-v3.2.0-win32-ia32-default.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\ByteDance\douyin
Operation:writeName:PersetShortcut
Value:
1
(PID) Process:(4092) douyin-downloader-v3.2.0-win32-ia32-default.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\ByteDance\douyin
Operation:writeName:PersetChannelID
Value:
0
(PID) Process:(4092) douyin-downloader-v3.2.0-win32-ia32-default.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4092) douyin-downloader-v3.2.0-win32-ia32-default.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
(PID) Process:(4092) douyin-downloader-v3.2.0-win32-ia32-default.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(4092) douyin-downloader-v3.2.0-win32-ia32-default.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(4092) douyin-downloader-v3.2.0-win32-ia32-default.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:D69B561148F01C77C54578C10926DF5B856976AD
Value:
(PID) Process:(4092) douyin-downloader-v3.2.0-win32-ia32-default.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Operation:writeName:Blob
Value:
040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB028090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA9531400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B0B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D002000520033000000190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F530000000100000040000000303E301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C02000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
Executable files
5
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4092douyin-downloader-v3.2.0-win32-ia32-default.exeC:\Users\admin\AppData\Local\Temp\nst40E4.tmp\downloader_nsis_plugin.dllexecutable
MD5:310100A8926513073F6998A803048BD0
SHA256:8D765D283356500D1E414EC1397083E3F48CC8D0DEDC4B2B166FAD395C9DCD01
4092douyin-downloader-v3.2.0-win32-ia32-default.exeC:\Users\admin\AppData\Local\Temp\SetSliderValueexecutable
MD5:310100A8926513073F6998A803048BD0
SHA256:8D765D283356500D1E414EC1397083E3F48CC8D0DEDC4B2B166FAD395C9DCD01
4092douyin-downloader-v3.2.0-win32-ia32-default.exeC:\Users\admin\AppData\Local\Temp\nst40E4.tmp\ThreadTimer.dllexecutable
MD5:A85B2642D5D0B32433FEE15A75939421
SHA256:92CC717F5278ACD8C21F0B8A28E5FF770CBD739E9C69B687BDDD56DEE70DCA70
4092douyin-downloader-v3.2.0-win32-ia32-default.exeC:\Users\admin\AppData\Local\Temp\nst40E4.tmp\System.dllexecutable
MD5:A9E623ABA2FE2D49BAFCD2CA4D8BE9BA
SHA256:86A4B1E41C33D9132D27B07B1E53D5B250DFA59657C0C149F2903C8DEFC36A56
4092douyin-downloader-v3.2.0-win32-ia32-default.exeC:\Users\admin\AppData\Local\Temp\nst40E4.tmp\shell_downloader.dllexecutable
MD5:EBE140DE06F0517C82895AC8A279B2DF
SHA256:1D96399991DE7EB3A018D5A0BCA22E88610ABAFE153DDB0F61186B7135CBABE0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
12
DNS requests
8
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4092
douyin-downloader-v3.2.0-win32-ia32-default.exe
221.194.141.157:443
mcs.zijieapi.com
CHINA UNICOM China169 Backbone
CN
unknown
4092
douyin-downloader-v3.2.0-win32-ia32-default.exe
163.181.92.249:443
api.toutiaoapi.com
Zhejiang Taobao Network Co.,Ltd
DE
unknown
4092
douyin-downloader-v3.2.0-win32-ia32-default.exe
163.181.157.117:443
lf3-cdn-tos.bytegoofy.com
US
unknown
4092
douyin-downloader-v3.2.0-win32-ia32-default.exe
123.6.29.81:443
mcs.zijieapi.com
CHINA UNICOM China169 Backbone
CN
unknown
4092
douyin-downloader-v3.2.0-win32-ia32-default.exe
112.90.95.60:443
mcs.zijieapi.com
China Unicom Guangdong IP network
CN
unknown

DNS requests

Domain
IP
Reputation
mcs.zijieapi.com
  • 221.194.141.157
  • 123.6.29.81
  • 123.6.29.82
  • 112.90.95.59
  • 112.90.95.60
  • 221.194.141.156
unknown
api.toutiaoapi.com
  • 163.181.92.249
  • 163.181.92.250
  • 163.181.92.245
  • 163.181.92.225
  • 163.181.92.243
  • 163.181.92.226
  • 163.181.92.241
  • 163.181.92.246
unknown
lf3-cdn-tos.bytegoofy.com
  • 163.181.157.117
  • 163.181.157.113
  • 163.181.157.114
  • 163.181.157.118
  • 163.181.157.115
  • 163.181.157.120
  • 163.181.157.119
  • 163.181.157.116
unknown

Threats

No threats detected
Process
Message
douyin-downloader-v3.2.0-win32-ia32-default.exe
chkAgree status:1
douyin-downloader-v3.2.0-win32-ia32-default.exe
checkBoxAutoStart status:1
douyin-downloader-v3.2.0-win32-ia32-default.exe
checkBoxDesktopShortcut status:1
douyin-downloader-v3.2.0-win32-ia32-default.exe
exec
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
douyin-downloader-v3.2.0-win32-ia32-default.exe